A specific in-app advertisement may be able to install an app on Android devices without the user’s consent. The app would use the infrastructure of advertising company Digital Turbine to bypass the Google Play Store in this way.
Users of the weather app Weather Home – Live Radar Alerts & Widget reported through user reviews that the application was installed without their permission after seeing it featured in an in-app advertisement. One of the users who reported the issue on the Google Play Store was tracked down by a user of the /r/Androiddev subreddit. After that, more evidence about the incident was shared. The weather app in question currently has a large amount of negative user reviews in Google’s app store.
So far, only one app has been discovered that could be installed via an advertisement without user consent or interference from the Google Play Store. It is not yet clear whether the developers behind the app are abusing Digital Turbine’s system, or whether something else is going on. For example, malware could be installed on users’ smartphones in the same way, should the company’s advertising infrastructure contain vulnerabilities.
The application in question uses Digital Turbine’s demand-side platform (DSP), Reddit user /u/omniuni explained in a comment. In this way, companies can buy advertising space in an automated way. Manufacturers, providers, but also Google can install the relevant DSP via Android at system level; on such devices, an app from Digital Turbine called Ignite runs in the background. Subsequently, the makers or original owners of a smartphone can install Android apps via this application without permission. In addition to advertisements, bloatware can be installed in this way, for example during the installation process of a new smartphone.
In a short explanation to /r/omniuni, Digital Turbine explains that the entire incident is not intended and promises to make an official statement later. The company emphasizes that Ignite is absolutely not intended to install applications in this way without the user’s consent. In addition, apps via Ignite would always be verified by Digital Turbine before and after installation. Such apps should be registered in the Google Play Store for this. It is unknown whether this process also took place for the respective weather app.
The respective weather app was installed without the user’s consent via an in-app advertisement. Image via Reddit